https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88856#M18430 <P>Even though I added stanza in inputs.conf file I still dont see logs coming into splunk. I am not sure what I am missing here.</P> Tue, 09 Jul 2013 18:22:51 GMT bhavya_shah 2013-07-09T18:22:51Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88850#M18424 <P>I was able to setup rsyslog to push logs into splunk but issue is only /var/log/messages are pushed to splunk but i have many more logs such as /logs/server-logs/servername/* on rsyslog server that I want to push it to splunk. Is there a way to push it?</P> Tue, 09 Jul 2013 00:40:58 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88850#M18424 bhavya_shah 2013-07-09T00:40:58Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88851#M18425 <P>You need to create an inputs.conf file on your forwarder that has a stanza for all the logs that you want.</P> Tue, 09 Jul 2013 00:55:54 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88851#M18425 adrianathome 2013-07-09T00:55:54Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88852#M18426 <P>If you dont mind can you share the example inputs.conf file?</P> Tue, 09 Jul 2013 00:57:16 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88852#M18426 bhavya_shah 2013-07-09T00:57:16Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88853#M18427 <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Configureyourinputs">http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Configureyourinputs</A></P> Tue, 09 Jul 2013 00:59:06 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88853#M18427 msettipane 2013-07-09T00:59:06Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88854#M18428 <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Exampleaddaninputtoforwarders">http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Exampleaddaninputtoforwarders</A></P> Tue, 09 Jul 2013 01:01:33 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88854#M18428 adrianathome 2013-07-09T01:01:33Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88855#M18429 <P>In its simplest form you just need something like the following stanza in the inputs.conf on the rsyslog server. (I assume, from the mention of other logs already being pushed, you have installed a light forwarder instance at the very least.)</P> <PRE><CODE>[monitor:///logs/server-logs/] host_segment = 3 sourcetype = syslog index = syslog disabled = false </CODE></PRE> <P>As splunk try the following:</P> <PRE><CODE>bin/splunk btool inputs list --debug </CODE></PRE> <P>This should show you your complete inputs configuration.</P> <P>To interrogate what is or is not being consumed, point this at your indexer:</P> <PRE><CODE><A href="https://{yoursplunkserver}:8089/services/admin/inputstatus/TailingProcessor:FileStatus" target="test_blank">https://{yoursplunkserver}:8089/services/admin/inputstatus/TailingProcessor:FileStatus</A> </CODE></PRE> <P>It will show you what is and what is not being processed, and why.</P> Tue, 09 Jul 2013 01:08:55 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88855#M18429 grijhwani 2013-07-09T01:08:55Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88856#M18430 <P>Even though I added stanza in inputs.conf file I still dont see logs coming into splunk. I am not sure what I am missing here.</P> Tue, 09 Jul 2013 18:22:51 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88856#M18430 bhavya_shah 2013-07-09T18:22:51Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88857#M18431 <P>I tried and it does show me complete inputs.conf info but still dont know why its not pushing the log.</P> Tue, 09 Jul 2013 22:53:33 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88857#M18431 bhavya_shah 2013-07-09T22:53:33Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88858#M18432 <P>I am still not getting logs but I have more issue. </P> <P>/opt/splunkforwarder/bin/splunk list forward-server</P> <P>Active forwards:<BR /> None<BR /> Configured but inactive forwards:<BR /> servername:9997</P> <P>Here is the exact error on my forwarder on splunkd.log</P> <P>07-11-2013 16:19:56.153 -0700 WARN TcpOutputProc - Cooked connection to ip=ipaddress:9997 timed out</P> Thu, 11 Jul 2013 23:33:36 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88858#M18432 bhavya_shah 2013-07-11T23:33:36Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88859#M18433 <P>In that case you seem to have firewall or routing issues.</P> Thu, 11 Jul 2013 23:42:07 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88859#M18433 grijhwani 2013-07-11T23:42:07Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88860#M18434 <P>Firewall issue has been fixed but in splunkd.log I am seeing following error:</P> <P>07-15-2013 04:09:36.647 -0700 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...<BR /> 07-15-2013 04:09:38.935 -0700 INFO TailingProcessor - ...continuing.</P> <P>07-15-2013 04:10:00.879 -0700 INFO BatchReader - Removed from queue file=</P> <P>07-15-2013 09:27:38.824 -0700 INFO WatchedFile - Will begin reading at offset</P> Mon, 15 Jul 2013 16:34:57 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88860#M18434 bhavya_shah 2013-07-15T16:34:57Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88861#M18435 <P><A href="http://splunk-base.splunk.com/answers/95281/having-issues-with-universal-forwarder">http://splunk-base.splunk.com/answers/95281/having-issues-with-universal-forwarder</A></P> <P><A href="http://splunk-base.splunk.com/answers/95503/how-to-setup-universal-forwarder-on-linux">http://splunk-base.splunk.com/answers/95503/how-to-setup-universal-forwarder-on-linux</A></P> Tue, 16 Jul 2013 21:58:03 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/88861#M18435 bhavya_shah 2013-07-16T21:58:03Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/688716#M114674 <P>Hi Bhavya,</P><P>What add-ons did you need on Splunk enterprise to receive logs from rsyslog client?</P><P>Was rsyslog on an external system?&nbsp;</P><P>Thanks.</P><P>Joanna.</P> Sun, 26 May 2024 10:05:41 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/688716#M114674 Joanna 2024-05-26T10:05:41Z https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/688743#M114679 <P>In case you haven't noticed, this is a really old thread. Your question might not get the visibility you want in this thread. Try starting a new thread describing your problem in the Getting Data In section of this forum.</P> Sun, 26 May 2024 21:26:20 GMT https://community.splunk.com/t5/Getting-Data-In/Push-logs-from-rsyslog-into-splunk/m-p/688743#M114679 PickleRick 2024-05-26T21:26:20Z